get federated signin working without extra clicks

fix container ref, enable federation by default

we need chi's KA for federation metadata

Author: msherman64

requirements.txt

@@ -2,7 +2,7 @@
 ansible
 ansible-core>=2.13,<=2.14
 
-git+https://github.com/openstack/kolla-ansible@unmaintained/2023.1
+git+https://github.com/ChameleonCloud/kolla-ansible@backport/2023.1
 
 # client tools
 openstackclient

site-config/globals.yml

@@ -32,10 +32,9 @@ virtualenv: /opt/kolla/venv
 ####################
 
 kolla_base_distro: "ubuntu"
+kolla_install_type: "source"
+
 
-# point at the docker registry we want
-# docker_namespace: kolla
-# docker_registry: docker.chameleoncloud.org
 
 # default superadmin user and project
 keystone_admin_user: "admin"
@@ -69,7 +68,7 @@ horizon_custom_themes:
 # Federated login config
 ########################
 
-enable_keystone_federation: false
+enable_keystone_federation: true
 
 keystone_identity_providers:
   - name: "chameleon_dev"
@@ -78,12 +77,17 @@ keystone_identity_providers:
     identifier: "https://auth.dev.chameleoncloud.org/auth/realms/chameleon"
     public_name: Login with Chameleon Dev
     attribute_mapping: chameleon_mapping
-    metadata_folder: "{{ node_custom_config }}/keystone/federation/metadata"
 
 keystone_identity_mappings:
   - name: chameleon_mapping
     file: "{{ node_custom_config }}/keystone/idp_mapping.json"
 
+keystone_oidc_client_id: "keystone-ciab-dev"
+keystone_oidc_client_secret: "public"
+keystone_oidc_provider_metadata_url: "{{ keystone_identity_providers[0].identifier }}/.well-known/openid-configuration"
+
+# keystone must support mapping multiple projects or keycloak federation will fail
 keystone_image_full: ghcr.io/chameleoncloud/kolla/keystone:2023.1-ubuntu-jammy
 keystone_fernet_image_full: ghcr.io/chameleoncloud/kolla/keystone-fernet:2023.1-ubuntu-jammy
 keystone_ssh_image_full: ghcr.io/chameleoncloud/kolla/keystone-ssh:2023.1-ubuntu-jammy
+horizon_image_full: ghcr.io/chameleoncloud/kolla/horizon:2023.1-ubuntu-jammy

site-config/node_custom_config/horizon/custom_local_settings

@@ -99,6 +99,29 @@ OPENSTACK_IMAGE_BACKEND = {
     ],
 }
 
+{% if enable_keystone_federation | bool %}
+WEBSSO_ENABLED = True
+
+WEBSSO_CHOICES = (
+{% for idp in keystone_identity_providers %}
+    ("{{ idp.name }}", "{{ idp.public_name }}"),
+{% endfor %}
+)
+WEBSSO_IDP_MAPPING = {
+{% for idp in keystone_identity_providers %}
+    "{{ idp.name }}": ("{{ idp.name }}", "{{ idp.protocol }}"),
+{% endfor %}
+}
+WEBSSO_DEFAULT_REDIRECT = True
+
+# This really shouldn't have to be set, but it's set at configuration parse
+# time and derived from a value (OPENSTACK_KEYSTONE_URL) that is overriden by
+# our configuration.
+WEBSSO_KEYSTONE_URL = "{{ keystone_public_url }}/v3"
+WEBSSO_DEFAULT_REDIRECT_REGION = '{{ keystone_public_url }}/v3'
+WEBSSO_DEFAULT_REDIRECT_PROTOCOL = 'openid'
+{% endif %}
+
 # The OPENSTACK_HEAT_STACK has the only setting available - enable_user_pass,
 # which can be used to disable the password field while launching the stack.
 # Set to False if HEAT uses trusts by default otherwise it needs to be set as True.